Hacking Disk Encryption: "Inception" For Cracking Encryption Released, Is Bwooooong-tastic.

Not too long ago, a tool for cracking laptop disk encryption was released by Elcomsoft.  In the latter’s case, it targeted machines that were using PGP, TrueCrypt, and Microsoft’s BitLocker.  The cracking tool made use of a vulnerability found on FireWire / iLink / 1394 port, a weakness that has been around for a while.

Well, now there’s a software tool that makes use of the vulnerability in other encryption products as well.

Inception – Bwong, Bwong, Your Computer’s Hacked!

According to breaknenter.org,

Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

That asterisk does represent caveats, which you can read here.  Again, this is nothing out of the ordinary, which is probably the main criticism most security experts offered when Elcomsoft made their product announcement.  The creators of Inception are aware of this themselves:

DMA attacks has been known for many years, so this is nothing new (except for the fact that I will reverse engineer new signatures and update the tool’s functionality until the problem is fixed). However, vendors generally dismiss DMA attacks as a non-issue, which I hope that the awareness that this tool generates will change. Users deserve secure devices, even when attackers gain physical access.

Also, I gleaned a little extra information that I had not considered before.  The attack also works if you don’t have a FireWire port.  According to the FAQ,

You can use any interface that expands the PCIe bus, for example PCMCIA, ExpressCards, the new Thunderbolt interface and perhaps SD/IO to hotplug a FireWire interface into the victim machine. The OS will install the necessary drivers on the fly, even when the machine is locked. [my emphasis]

Which makes me wonder why the Inception team offers the following “attack mitigation” practices, some of them based on uninstalling drivers:

Block the SBP-2 driver
Remove FireWire drivers from your system if you don’t need to use FireWire

Don’t panic – if you are using FileVault2 and OS X Lion (10.7.2) and higher, the OS will automatically turn off DMA when locked – you’re still vulnerable to attacks when unlocked, though
Set a firmware password

Disable DMA or remove the 1394 drivers (see the ‘Mitigation: Linux’ section)

Granted, it could be that other cracking tools that exploit the vulnerability do not incorporate the “install drivers on the fly” approach, making the above a valid security practice in those particular cases.  

A key point, and what I consider the basis for the main mitigation method that I’m aware of, is not mentioned: namely, this attack can only work while data can be found in a computer’s RAM.  No content in the RAM means an attack is impossible.  The natural question following this observation is: when is your RAM empty or purged?

Learn to Dispense with Hibernation, Turn Your Computer Off

Your computer’s RAM is devoid of any content when it is turned off.  Not in hibernation mode, but when it’s off.  This is, as far as I know, the only way to impede what I call a FireWire attack.  In fact, it’s not just a matter of turning off the computer.  Because it takes some time for the data in RAM to degrade (half a minute to a couple of hours, depending on a number of factors, but mainly dependent on temperature), it would be possible to run the FireWire attack under the following scenario:

  1. You start the process of shutting down the computer but because you’re in a hurry you don’t hang around for it to complete the process, knowing it will turn off eventually.
  2. While you’re gone but the computer is still shutting down, someone grabs your computer, opens the cover, and freezes the RAM (canned air sprayed upside down works in a pinch).  This probably won’t really work for most laptops unless the attackers decide to bust the keyboard or something.  I mean, have you ever tried to get to the RAM in a laptop?  There’s a lot of unscrewing you have to do, no way you’re freezing RAM in less than a minute, electric screwdrivers notwithstanding.  On the other hand, it’s not completely impossible.
  3. The attacker connects Inception or some similar data retrieval tool to the computer.
  4. Data breach.  Possibly, you’re none the wiser!

If you value your data, and you’re paranoid enough, you’ll stand by your computer until it shuts off fully, and stay by it around a minute or so.  Me, I just make sure it’s been shut off.  I’m paranoid, but not paranoid enough.

Related Articles and Sites:

Comments (0)

Let us know what you think